control agent can now uboot commands
This commit is contained in:
198
docs/coredns.md
Normal file
198
docs/coredns.md
Normal file
@@ -0,0 +1,198 @@
|
||||
## About /etc/crio/crio.conf.d/11-coredns.conf
|
||||
|
||||
CoreDNS fails with permission denied. Probably because of readonly RootFS.
|
||||
The current solution is to just allow port 20 up to bind without root
|
||||
|
||||
well this is just brute force allowing any ports 20 < to be yeah go ahead
|
||||
```
|
||||
[crio.runtime]
|
||||
default_sysctls = [
|
||||
"net.ipv4.ip_unprivileged_port_start=20"
|
||||
]
|
||||
```
|
||||
|
||||
CoreDNS wants 53. And users may want to have ssh servers
|
||||
|
||||
So just allow all the ports!
|
||||
|
||||
|
||||
## Diagnostics
|
||||
|
||||
I'll just put some of my findings in here.
|
||||
|
||||
Catching effective cap being 0x0000 (this is the issue?)
|
||||
```
|
||||
kubectl rollout restart deployment -n kube-system coredns
|
||||
while true; do
|
||||
PID=$(pgrep coredns)
|
||||
if [ ! -z "$PID" ]; then
|
||||
echo "Found CoreDNS PID: $PID"
|
||||
grep Cap /proc/$PID/status
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
CapInh: 0000000000000000
|
||||
CapPrm: 0000000000000000
|
||||
CapEff: 0000000000000000
|
||||
CapBnd: 0000000000000400
|
||||
CapAmb: 0000000000000000
|
||||
```
|
||||
|
||||
# find /var/lib/containers/storage/overlay-containers -name config.json | xargs grep "noNewPrivileges"
|
||||
|
||||
Current kernel config
|
||||
```
|
||||
gunzip -c /proc/config.gz | grep -e SECURITY -e LSM -e SECCOMP
|
||||
CONFIG_HAVE_ARCH_SECCOMP=y
|
||||
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
|
||||
CONFIG_SECCOMP=y
|
||||
CONFIG_SECCOMP_FILTER=y
|
||||
# CONFIG_SECCOMP_CACHE_DEBUG is not set
|
||||
CONFIG_IIO_ST_LSM6DSX=m
|
||||
CONFIG_IIO_ST_LSM6DSX_I2C=m
|
||||
CONFIG_IIO_ST_LSM6DSX_SPI=m
|
||||
CONFIG_IIO_ST_LSM6DSX_I3C=m
|
||||
# CONFIG_IIO_ST_LSM9DS0 is not set
|
||||
CONFIG_EXT4_FS_SECURITY=y
|
||||
CONFIG_UBIFS_FS_SECURITY=y
|
||||
CONFIG_NFS_V4_SECURITY_LABEL=y
|
||||
# CONFIG_9P_FS_SECURITY is not set
|
||||
# CONFIG_SECURITY_DMESG_RESTRICT is not set
|
||||
CONFIG_SECURITY=y
|
||||
CONFIG_HAS_SECURITY_AUDIT=y
|
||||
CONFIG_SECURITYFS=y
|
||||
CONFIG_SECURITY_NETWORK=y
|
||||
CONFIG_SECURITY_NETWORK_XFRM=y
|
||||
CONFIG_SECURITY_PATH=y
|
||||
# CONFIG_SECURITY_SELINUX is not set
|
||||
# CONFIG_SECURITY_SMACK is not set
|
||||
# CONFIG_SECURITY_TOMOYO is not set
|
||||
# CONFIG_SECURITY_APPARMOR is not set
|
||||
# CONFIG_SECURITY_LOADPIN is not set
|
||||
# CONFIG_SECURITY_YAMA is not set
|
||||
# CONFIG_SECURITY_SAFESETID is not set
|
||||
# CONFIG_SECURITY_LOCKDOWN_LSM is not set
|
||||
# CONFIG_SECURITY_LANDLOCK is not set
|
||||
# CONFIG_SECURITY_IPE is not set
|
||||
CONFIG_DEFAULT_SECURITY_DAC=y
|
||||
CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,ipe,bpf"
|
||||
```
|
||||
|
||||
`CONFIG_LSM` does not need `capability`. It works when testing CAP_NET_BIND manually.
|
||||
```
|
||||
# capsh --keep=1 --user=nobody --inh=cap_net_bind_service --addamb=cap_net_bind_service -- -c "grep Cap /proc/self/status"
|
||||
CapInh: 0000000000000400
|
||||
CapPrm: 0000000000000400
|
||||
CapEff: 0000000000000400
|
||||
CapBnd: 000001ffffffffff
|
||||
CapAmb: 0000000000000400
|
||||
```
|
||||
|
||||
And this also aligns with debian's `CONFIG_LSM`. They don't have `capability` hardcoded in.
|
||||
|
||||
Debian's working kernel config
|
||||
```
|
||||
grep -e SECURITY -e LSM -e SECCOMP /boot/config-$(uname -r)
|
||||
CONFIG_BPF_LSM=y
|
||||
# CONFIG_NFIT_SECURITY_DEBUG is not set
|
||||
CONFIG_HAVE_ARCH_SECCOMP=y
|
||||
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
|
||||
CONFIG_SECCOMP=y
|
||||
CONFIG_SECCOMP_FILTER=y
|
||||
# CONFIG_SECCOMP_CACHE_DEBUG is not set
|
||||
CONFIG_IP_NF_SECURITY=m
|
||||
CONFIG_IP6_NF_SECURITY=m
|
||||
CONFIG_IIO_ST_LSM6DSX=m
|
||||
CONFIG_IIO_ST_LSM6DSX_I2C=m
|
||||
CONFIG_IIO_ST_LSM6DSX_SPI=m
|
||||
# CONFIG_IIO_ST_LSM9DS0 is not set
|
||||
CONFIG_EXT4_FS_SECURITY=y
|
||||
CONFIG_REISERFS_FS_SECURITY=y
|
||||
CONFIG_JFS_SECURITY=y
|
||||
CONFIG_F2FS_FS_SECURITY=y
|
||||
CONFIG_JFFS2_FS_SECURITY=y
|
||||
CONFIG_UBIFS_FS_SECURITY=y
|
||||
CONFIG_EROFS_FS_SECURITY=y
|
||||
CONFIG_NFS_V4_SECURITY_LABEL=y
|
||||
CONFIG_NFSD_V4_SECURITY_LABEL=y
|
||||
# CONFIG_CEPH_FS_SECURITY_LABEL is not set
|
||||
CONFIG_9P_FS_SECURITY=y
|
||||
CONFIG_SECURITY_DMESG_RESTRICT=y
|
||||
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
|
||||
CONFIG_SECURITY=y
|
||||
CONFIG_SECURITYFS=y
|
||||
CONFIG_SECURITY_NETWORK=y
|
||||
# CONFIG_SECURITY_INFINIBAND is not set
|
||||
CONFIG_SECURITY_NETWORK_XFRM=y
|
||||
CONFIG_SECURITY_PATH=y
|
||||
CONFIG_LSM_MMAP_MIN_ADDR=65536
|
||||
CONFIG_SECURITY_SELINUX=y
|
||||
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
|
||||
# CONFIG_SECURITY_SELINUX_DISABLE is not set
|
||||
CONFIG_SECURITY_SELINUX_DEVELOP=y
|
||||
CONFIG_SECURITY_SELINUX_AVC_STATS=y
|
||||
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
|
||||
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
|
||||
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
|
||||
# CONFIG_SECURITY_SMACK is not set
|
||||
CONFIG_SECURITY_TOMOYO=y
|
||||
CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
|
||||
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
|
||||
# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
|
||||
CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
|
||||
CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
|
||||
# CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set
|
||||
CONFIG_SECURITY_APPARMOR=y
|
||||
# CONFIG_SECURITY_APPARMOR_DEBUG is not set
|
||||
CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y
|
||||
CONFIG_SECURITY_APPARMOR_HASH=y
|
||||
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
|
||||
CONFIG_SECURITY_APPARMOR_EXPORT_BINARY=y
|
||||
CONFIG_SECURITY_APPARMOR_PARANOID_LOAD=y
|
||||
# CONFIG_SECURITY_LOADPIN is not set
|
||||
CONFIG_SECURITY_YAMA=y
|
||||
# CONFIG_SECURITY_SAFESETID is not set
|
||||
CONFIG_SECURITY_LOCKDOWN_LSM=y
|
||||
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
|
||||
CONFIG_SECURITY_LANDLOCK=y
|
||||
CONFIG_IMA_LSM_RULES=y
|
||||
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
|
||||
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
|
||||
CONFIG_DEFAULT_SECURITY_APPARMOR=y
|
||||
# CONFIG_DEFAULT_SECURITY_DAC is not set
|
||||
CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf"
|
||||
```
|
||||
|
||||
Debian's CoreDNS cap
|
||||
```
|
||||
# grep Cap /proc/1911/status
|
||||
CapInh: 0000000000000000
|
||||
CapPrm: 0000000000000400
|
||||
CapEff: 0000000000000400
|
||||
CapBnd: 0000000000000400
|
||||
CapAmb: 0000000000000000
|
||||
```
|
||||
|
||||
Debian's CRIO config
|
||||
```
|
||||
# cat /etc/crio/crio.conf.d/10-crio.conf
|
||||
[crio.image]
|
||||
signature_policy = "/etc/crio/policy.json"
|
||||
|
||||
[crio.runtime]
|
||||
default_runtime = "crun"
|
||||
|
||||
[crio.runtime.runtimes.crun]
|
||||
runtime_path = "/usr/libexec/crio/crun"
|
||||
runtime_root = "/run/crun"
|
||||
monitor_path = "/usr/libexec/crio/conmon"
|
||||
allowed_annotations = [
|
||||
"io.containers.trace-syscall",
|
||||
]
|
||||
|
||||
[crio.runtime.runtimes.runc]
|
||||
runtime_path = "/usr/libexec/crio/runc"
|
||||
runtime_root = "/run/runc"
|
||||
monitor_path = "/usr/libexec/crio/conmon"
|
||||
```
|
||||
@@ -1,4 +1,4 @@
|
||||
Booting release image with bootusb
|
||||
## Booting release image with bootusb
|
||||
- Use this if you are flashing image from macos/flashusb.sh
|
||||
```
|
||||
setenv bootusb '
|
||||
@@ -18,8 +18,16 @@ setenv bootusb 'usb start; ext4load usb 0:2 ${mks_loadaddr} /boot/kernel.itb; bo
|
||||
run bootusb
|
||||
```
|
||||
|
||||
## Run fw_printenv and fw_setenv from kubectl
|
||||
```
|
||||
# Avoid using daemonset/control-agent if you have multiple nodes
|
||||
kubectl exec -n kube-system control-agent-abcdef1 -- /ctl internal fw-setenv --key foo --value bar
|
||||
|
||||
Original uboot env from mono
|
||||
# fw_printenv
|
||||
kubectl exec -n kube-system ds/control-agent -- /ctl internal fw-printenv --key foo
|
||||
```
|
||||
|
||||
## Original uboot env from mono
|
||||
```
|
||||
arch=arm
|
||||
baudrate=115200
|
||||
|
||||
Reference in New Issue
Block a user